Find your Flow to Manage the Complexity

“A new report issued by the AICPA and North Carolina State University’s (NCSU) Enterprise Risk Management (ERM) Initiative found that 65 percent of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years.” North Carolina State University

The contents of the 2022 report come as no surprise.  The challenges posed by complexity and increasing risks are contributing to companies leaving a lot of value (money) on the table.

Not ideal!  There are several factors to consider.

Have you noticed how ‘Risk’ has become like ‘The Internet of Things’ (IoT) – Risk is as complex, deep, and diverse as the IoT.

Understanding how risk creates value in complex environments means we must examine beyond what risk has traditionally represented – health & safety, hazards, finance, and insurance.

We had to elevate our understanding of the internet (and now the Metaverse!) – Why not elevate how we understand risk?

Businesses recognize that risks can be positive and negative, just like it is with the IoT. The difference is that the conversations about risk have not changed to the degree they have with IoT.

By taking a comparative view of the similarities (click on the link to open the PDF) between IoT and risks, it becomes evident that risk deserves the level of attention that IoT got when its impact was felt in the business.

The gap being exposed is the incomplete integration of risk into business practices, resulting in a failure to demonstrate how value is created.

How do we measure the value of something that is based on indicators, scenarios and assumptions?

In sectors such as mining, oil & gas, utilities, municipalities, transportation, manufacturing, education, financial services, and healthcare, the traditional insurance-driven approach to risk seems to prevail.

As such, companies place the responsibility for risk under the insurance and/or finance umbrella.  By default, this implies that all risks have financial value – I would not argue with that, but – we should be clear on the source of the value and there are many sources.

In today’s environment, managing risk is both a function and a capability. Therefore, allocating responsibility to areas that are beyond finance and insurance makes sense.

Having a risk department does not serve the business in its day-to-day activities.

Consequently, unanticipated events continue to happen – a phenomenon known as – I didn’t see that one coming!  Given the complexity and lack of process, one is blindsided.

Questions remain as to why a ‘risk program’ is not generating value. It’s not the program that needs to work – it’s the people and culture that need to make it work – and that is driven by leadership.

Consider the image below . . .




Your organization is inside the red circle.  All your operational risks are inside that circle.

The strategic and financial risks are the small blue and green circles, external to your business.

The small circles can, and likely will, impact your business operations.

There are many moving pieces to keep monitoring.

The number of people who are searching to learn how to manage risk in a complex environment is growing every month and every year. The evidence is in the number of people taking courses and asking for training programs. Statistics show that there is a huge unmet need.

During the past 17 years of teaching/training/coaching and advising executives and managers on effective practices in risk management, I have found that textbooks and other books published on risk have different and distinct features.

The textbooks, such as those used for ‘Risk Professional’ accreditation by RIMS or GRMI have a primary focus on insurance and hazards. (this is the old traditional model).

The published books on risk (and there are many) are mostly by self-acclaimed risk experts extracted from the financial sector such as insurance, financial planning, capital markets and finance – they mostly focus on the financial quantification of risk – Do a Google search and see what you get.

In practice, teaching or learning from a textbook does not achieve results that come close to the effects that focused training/coaching/mentoring provide. The training/coaching and mentoring are based on the experiences of practical application in today’s business environment.

What none of the books can teach is how to integrate the concept of risk into strategy, decision-making, problem-solving and business processes.

Managing risk requires critical thinking and that takes practice.

That lack of integration is the biggest missing piece that I have gleaned from the report and from direct exposure with nearly 1,000 businesses.

Learning and applying the art and discipline of managing risk & uncertainty is not learned from a book.

If businesses try to create a ‘risk management process’ that is separate from business processes, the integration will not occur. It will result in risks not being anyone’s responsibility but the risk department.

I’m advocating the use of systematic identification of risk and indicators as part of key business processes. The important step in doing so is to recognize what can be controlled or influenced and what cannot be.

What has dramatically changed after the introduction of two important standards, ISO31000:2018 and COSOII:2017, is how the ‘Bow Tie’ Model was adapted.

The Bow Tie has been around for decades and it is still the simplest model for understanding the obvious difference between a risk and a problem.

Uvidi adapted the Bow Tie Model for the purpose of using a business process as a management tool that recognizes that risk is everywhere.


What this adaptation has allowed businesses to do is to integrate risk management into their daily business practices – which is where the management of risk belongs.

Additionally, the risk-embedded process has a feature to assist in assessing the gaps in their capabilities and patterns that contribute to an inability to respond to or mitigate a risk event.

The revised and adapted model creates a distinction between what is a risk and what is a problem. This distinction helps to develop a risk register that contains those risks that have had the benefit of a systematic process to identify, assess, monitor and mitigate top risks before an unintended event occurs.

Just think . . . no more . . . “I never saw that one coming!”

In summary, objectives are achieved by executing the right strategies, with the right capabilities and achieving the right outcomes despite the complexity.

Your business must thrive. And it does, when you have a clear path to reducing risks and uncertainty.

If you are in the >65% of public, private and non-profit organizations that wants to realize the value of managing risk effectively, I welcome your questions about how you can achieve that.

I invite you to a conversation.   The link offers you the convenience of choosing a time that suits you best.

At Uvidi Management Group we help managers, executives and business leaders to steer through the hell-fire of business and make sense of their approach to strategy, changes, organizational effectiveness and their dealings with risks.

To obtain a copy of the full report. 

Feel free to contact me directly to discuss how we can help you raise the effectiveness in managing risk, uncertainty and performance.

In the meantime, I welcome your thoughts and feedback.

Leave a Comment

Your email address will not be published. Required fields are marked *

two × 5 =

Scroll to Top